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accurity cousiderations at an early date would be accomplighed iv 

the Office of Security could also have a represontative attend 

muctings of the IF Board and the Technical Review Comlttes oP OCS. 
Recommendation Ho. & | 


_ & That the TP Beard invite a security advisor 
to be present at all Board mectings. 


b. That OCS have a aecurity advisor present at 
O11, meetings of die Technical Review Comzlitee, 
i 3- The security constraints associated with the use of ALP 
way well be the key factor in determining how fast and how fer the 
Agency ean go in utilizing coupe wrizeg inhouse and communliy-wide 
interactive aud/or time-sharing intormetion systems. Nore in-dapil 
anslysis ig needed to clearly identify the degree of vulnerability 
and risk involved, and to devise and test the controls reguired in 
establishing acceptable security stendards. The sicille reguived for 
guch studies eng expertonents are in short supply, and unless tlis 
teak 18 secorded a high priority, the benefita contumplated from tino 
eharing interactive services Will most likely have to be deferred 
pending the solution of security probleus. Some tough decisions lie 
ahead for top-level management in connection with tbalaneing the 
traditional requirements for security compartuentstion of inforustica 
against the advantages uhicn might accrue from ADP interactive tinc- 


sharing services 4f thease requirements were relaxed. Areacy manacce 


ment will need wll the. expert advice and assistance it can get oa 
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Lh. In apite of the foregoing recognized nced for expert 
seeurity advice, rather than ineresoing the OS eapsbility in the 
ADP field as we believe ig necessary, @ recent decision wes made | 
ce) reduce the number of security people working on ALP matters. we , 
fear that this may be Yalge economy. The Agency will most certainly 
need an increased aucber of highly aie 4néividuals in the fTieil — 
of ADP security. . 

5. OCS participates is the Comummity Oa-Line Tatelligence Syst bets 
experiment (COINS), firat groposed by the President's Forciga Intei~ 
ligence Aévisory Board mar This systen hae many of the save 
security problems as those outlined above. . 

6. Official in OCS believe that COINS would best mect FPINB 
hopes 2f 1% vere & time-sharing, multd-claseificstioa level systeu. 
Suth a systen would allow @ user to quexy oaly those files for whico 


he was cleared or had a neod-to-know. Tt would eliminate the neta 


for ell users to have @LL clearances for all Tiles ia the syste. 

The adoption of such a systan would also fit with the OCS econ | 

for one central COINS computer rather than the many now employed. | | 
7. Whe Security people, however, have probleme with such a 

systen, Two ocs ovPicials told us thet our Office of & Seaurdty believes 

that there te no woy %o mike @ COLES time-charlag  8y ire} ae seeure Dub 


that 05 3 bas aot gt thelr reasons fn we ating “06s also expre seek 
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canzern auout the limited amount of effort Oo vas eiviug tae tliee 
gharing security groblen. The OCS officials are convinedd that a 
timasahaving multi~cleavauecs level COINS can be made secure ered 
swemad disturbed about what they viewed as an intransigent position 
on the part of OS. ‘the O8 officer responsibie for “Ageney ADP security 
wag then intervieved to determine if a true impasse axteted. 

3. The OS ADP officer, who is also Chairnsn of the 22k BP Seourhty 
Subcommittee of the USIR Secaurd aby Comelttes, confirmed the OCS view 
shat Security believes time-sharing with the Tai 360/67 with malti- 
clearance level files has security problem. At the present (ine 
there are about 50 remote terminalis tied te our Agency time-sharing 
360/67. A great mauy people have access to tha 50 terminals. lore 
people hive access to the computer and the files in OCS. If a 360/67 
auch a3 ours were thea the one central computer for COINS, possibly 
thousands more would heave access to the Tiles. More thousands of 
people would te added af DEA ties the Ucified and Specified Coumaucs 
to COLES se they have proposed. Unlike the “old éaya" wherein Securit 
concentrated on people and the files they kept ia a few sate Gravers, 
(05 pelleves it is now faced with a problem over uiich 14 could lose 
all security control. 

9, O08 belleves that the advent of the first ADP-based Tiles 
antl ied the potential Tax apillage, tamporiosg , nee hous etrstion of. 


“ - gytbeligence invormtion. Ta their views: timo~shoring hes mace woe 
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problem paoy, many times worse. OS thon raises the question of the 
demee of security va caa now accept with time-schering aaa how this 
degree of eecurlty ils to be established. 

“40. OS delteves certain steps oust be taken to autablish the 
degree of security thet ia accapteble with the 360/67. These are ss 
follows: | es 

| Determine the geeurity features: in the ADP sycten. 

Determine the security flaws in the systen. | 
é. Test the syeter with a controlled experinent. | 

Each step hes sub-steps. for exanple > in iten b., Security would wast 
. 9 study the hardware Yor flevs. The executive sofevare that controls 

tae hardware would slso have to be studied for flaws. They would alae 

have to look at the individual job programs, the access control, the 

euse of pengtration, @tc. 

Ww. OS feela thet these three steps would than give then « PDL 
pavi” understanding of the system's security. 05 dogs not now have 
the capability to de even this basic job. With this in mind, it is 
understendable why they have not done more with OOS to work cut the 
socuraty problems of a COINS wultd-clearaace, multi-access tine~ 
shoving syaten. 


Ls. 08 belteves that the besic manpower requlroment to do the . 


“health pack” study outlines above would take 6 six-mau group. ne 


rape 


 gxoup would include two couputer hardware deciga apeciaiiots, wo 
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computer systens programmers, and two security people; at least 


one of whow would have ADP experience. 

13. The complex ADP security problem is hitting 0S at a tine 
when they are being asked to eut back in manpower. There ig thea 
the question of where 08 allocates its effort. Prom the CCS's view 3 
more should be directed toward the time-sharing ADP security eee 
In our judgment, the Agency has made a large conmi tmex nt to time=- : 
sharing ADP as well as to the COLHS experiment . We Goubt that our 
commitments in these two areas will diminish or even hold steady. 

An expanded effort appears inevitable. The IG Audit Starr is now 
acquiring an ADP audit capability in recognition of the continuing 
and expanding audit requirements in this area. We believe the 
Office of Security must also give ADP an lacreasing amount of 

- attention. | | 

Recommendation No. 9 


That OCS and OS review their ADP security manpower 
vequiremente and develop measures to insure the secure, 
compartmented use of the OCS time-sharing 360/67 system 
both for CIA internal needs and for potential COLNS 
applications... 


ral 


ih, Emergency Planning ~ One major unsolved problem in the ods 
field of activities which has a security connotation is the lack of 
PE in the event of disaster. There currently exists 


mete) formal ae aa aa of any ee to provide for continuation 
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3. The technical people that carry cut ow ADP efforts are 
highly trained and skilled specialists. Competition for their 
services is intense. However, OCS has been able to hire these 
people, but holding them has been more difficult. We believe that 
OCS would hold more than trey do if the Office working enavironcent 
could be expanded and improved. 

hk, Whe OCS managemcat 4s fully awaye of the space problen ant 
has eaten toward mw solution. The Office managers are concerned 
gbout vearranging, clesning, and brightening up thelr vork aveas; 
and taking steps to cut dovn ou the noise level. In our jucgnent, 
however, ees te be done. 


Recommendation No. 13 


That DDS arrange for a thorough study of OCS 
space needs and, upon completion, take whatever 
action possible to satisfy the needs. 
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